It takes as little as five minutes for LockBit ransomware to deploy the encryption routine on target systems until it arrives on the network of victims.

In September 2019, entering the ransomware-as-a-service (RaaS) market, LockBit is unique in that it is powered by automated processes to spread rapidly through the victim network, locate and lock up valuable systems.

As the malware loads into the system memory, with logs and supporting files removed upon execution, LockBit attacks leave little traces for forensic examination.

Scripts and backdoors

Security researchers at Sophos were able to add more pieces to the puzzle that is LockBit after reviewing a series of eight incidents at smaller organizations.

In one instance, they discovered that the attack started from a compromised Internet Information Server that started a PowerShell remote script calling another script embedded in a Google Sheets remote document.

To retrieve and install a PowerShell module to add a backdoor and build persistence, this script connects to a command and control server.

The intruder renamed copies of PowerShell and the binary for running Microsoft HTML Applications (mshta.exe) to avoid control and go unnoticed in the logs; this caused Sophos to call this a ‘PS Rename’ attack.

The backdoor exploit is meant to install attack modules and run a VBScript that downloads and executes a second backdoor to restart systems. Below, an outline of the attack is available:

“The attack scripts also attempt to bypass Windows 10’s built-in anti-malware interface [AMSI], directly applying patches to it in memory,” says Sean Gallagher, Senior Threat Researcher at Sophos

The use of scripts based on the PowerShell Empire post-exploitation paradigm is implied by objects found on attacked systems. Their aim was to gather information about the network of victims, identify useful systems, and search for available defense solutions.

Gallagher notes that these scripts often use regular expressions to scan for “very specific types of business software” used for point-of – sale or accounting systems in the Windows Registry.

Below is a list of keywords of interest used in the search:

The malicious code would deploy LockBit ransomware only if the targets matched a fingerprint indicating an attractive target, the researcher notes in a report today.

Fast Attack

LockBit ransomware can execute in memory within five minutes using a Windows Management Instrumentation (WMI) command after selecting the valuable targets.

“All of the targets were hit within five minutes over WMI. The server-side file used to distribute the ransomware, along with most of the event logs on the targeted systems and the server itself, were wiped in the course of the ransomware deployment” – Sean Gallagher

The investigator says that because the attack modules changed firewall rules to allow it, WMI commands could transfer from a server to a device.

The initial compromise method remains unknown in these attacks. McAfee Labs and cybersecurity company Northwave detail how LockBit ransomware obtained access to the victim network by brute-forcing the logins of an admin for an obsolete VPN service in a study from May.

The malware encrypted about 25 servers and 225 computer systems within three hours.

Check out Diriga’s Ransomware Protection Services to see how we can help you defend from these types of attacks!